Front page
Archive
Silflay Hraka?


Bigwig is a systems administrator at a public university
Hrairoo is the proprietor of a quality used bookstore
Kehaar is.
Woundwort is a professor of counseling at a private university

The Hraka RSS feed

Email
bigwig AT nc.rr.com

Friends of Hraka
InstaPundit
Daily Pundit
cut on the bias
Meryl Yourish
This Blog Is Full Of Crap
Winds of Change
A Small Victory
Silent Running
Dr. Weevil
Little Green Footballs
ColdFury
Oceanguy
Fragments from Floyd
VodkaPundit
Allah
The Feces Flinging Monkey
Dean's World
Little Tiny Lies
The Redsugar Muse
Sperari
Natalie Solent
From the Mrs.
ErosBlog
The Anti-Idiotarian Rottweiler
On the Third Hand
Public Nuisance
Not a Fish
Rantburg
AMCGLTD
WeckUpToThees!
Electric Venom
Skippy, The Bush Kangaroo
Common Sense and Wonder
Neither Here Nor There
Wizbang!
Bogieblog
ObscuroRant
RocketJones
The Greatest Jeneration
Ravenwolf
Ipse Dixit
TarHeelPundit
Blog On the Run
blogatron
Redwood Dragon
Notables
Greeblie Blog
Have A Cuppa Tea
A Dog's Life
IMAO
Zonitics.com
Iberian Notes
Midwest Conservative Journal
A Voyage to Arcturus
HokiePundit
Trojan Horseshoes
In Context
dcthornton.blog
The People's Republic of Seabrook
Country Store
Blog Critics
Chicago Boyz
Hippy Hill News
Kyle Still Free Press
The Devil's Excrement
The Fat Guy
War Liberal
Assume the Position
Balloon Juice
Iron Pen In A Velvet Glove
IsraPundit
Freedom Lives
Where Worlds Collide
Knot by Numbers
How Appealing
South Knox Bubba
Heretical Ideas
The Kitchen Cabinet
Dustbury.com
tonecluster
Bo Cowgill
mtpolitics.net
Raving Atheist
The Short Strange Trip
Shark Blog
Hoplites
Jimspot
Ron Bailey's Weblog
Cornfield Commentary
Testify!
Northwest Notes
pseudorandom
The Blog from the Core
Ain'tNoBadDude
CroMagnon
The Talking Dog
WTF Is It Now??
Blue Streak
Smarter Harper's Index
nikita demosthenes
Bloviating Inanities
Sneakeasy's Joint
Ravenwood's Universe
The Eleven Day Empire
World Wide Rant
All American
Pdawwg
The Rant
The Johnny Bacardi Show
The Head Heeb
Viking Pundit
Mercurial
Oscar Jr. Was Here
Just Some Poor Schmuck
Katy & Bruce Loebrich
But How's The Coffee?
Roscoe Ellis
Foolsblog
Sasha Castel
Dodgeblogium
Susskins Central Dispatch
DoggerelPundit
Josh Heit
Attaboy
Aaron's Rantblog
MojoMark
As I was saying...
Blog O' Dob
Dr. Frank's Blogs Of War
Betsy's Page
A Knob for Brightness
Fresh Bilge
The Politburo Diktat
Drumwaster's rants
Curt's Page
The Razor
An Unsealed Room
The Legal Bean
Helloooo chapter two!
As I Was Saying...
SkeptiLog AGOG!
Tong family blog
Vox Beth
Velociblog
I was thinking
Judicious Asininity
This Woman's Work
Fragrant Lotus
DaGoddess
Single Southern Guy
Caerdroia
GrahamLester.Com
Jay Solo's Verbosity
TacJammer
Snooze Button Dreams
Horologium
You Big Mouth, You!
From the Inside looking Out
Night of the Lepus
No Watermelons Allowed
From The Inside Looking Out
Lies, Damn Lies, and Statistics
Suburban Blight
Aimless
The SmarterCop
Dog of Flanders
From Behind the Wall of Sleep
Beaker's Corner
Bad State of Gruntledness
Who Tends The Fires
Granny Rant
Elegance Against Ignorance
Moxie.nu
Eccentricity
Say What?
Blown Fuse
Wait 'til Next Year
The Pryhills
The Whomping Willow
The National Debate
The Skeptician
Zach Everson
MonkeyWatch
Geekward Ho
Argghhh!!!
Life in New Orleans
Rotten Miracles
Fringe
The Biomes Blog
illinigirl
See What You Share
Truthprobe
Blog dElisson
Your Philosophy Sucks
Watauga Rambler
Socialized Medicine
Consternations
Verging on Pertinence
Read My Lips
ambivablog
Soccerdad
The Flannel Avenger
Butch Howard's WebLog
Castle Argghhh!
Andrew Hofer
kschlenker.com
Moron Abroad
White Pebble
Darn Floor
Wizblog
tweedler
Pajama Pundits
BabyTrollBlog
Cadmusings
Goddess Training 101
A & W
Medical Madhouse
Slowly Going Sane
The Oubliette
American Future
Right Side Redux
See The Donkey
Newbie Trucker
The Right Scale
Running Scared
Ramblings Journal
Focus On Reality
Wyatt's Torch

August 14, 2003

Irresponsible Speculation

Maybe it's just that Blaster's been on my mind, but does it strike anyone else as odd that the Niagara-Mohawk power grid failed during a time of heavy network stress caused by that virus?

Maybe the blackout isn't due to an act of terrorism, though since no one knows why the grid collapsed it would seem premature to rule that out as a cause. But might it also have been caused by a virus?

Take a look at what the Niagara-Mohawk webserver returned to me a short while ago, though everything seems fine now.

yVQmc:H Kz_liƳ,>`g_Sݧ.xkJױLw(yHN_ 2.!nGq-! Yդ $EY)&DžhSF~ ͿJMZ0S#=?qM<"Q + ;{j{ i ֯c9iY?\ A?] O?IՃyDZե(,I\(JP[ 9 %F@QBERM?nt mfCJ*(liPBI)it!Zkdp ??u)ɱ_3ξ?RPJ$JxUu5N.)ye*&d;Õ!EmդZ*B? n.Wح%4VZ<Ŕj)RIإBB??mq# ]EA'; Udۻfayg:%$6{ Ǚ[l;X'm|#MS6K@Z*,7jBX O":ۓHW~pDS%*Ts&rU0l` Za*l+Ԯ?WͯZ#g+BBBBBBBNl#\ַ /ك L6?~+q{#bkHYg*WY%}[^?أ)['s {FE?LvMcSˋB\PTIqdZ? YR9SI?eyBB/~&?ܱ?j^tW=ˎqr1 -lBTT:k k:~[JhTm,nvNK;L13 K#eZkn!mE =Дa4f=!.)?ˌ6JjI*7) KE]J'Q!9~})\$&w]/J}ԺD46Gcث8}ـ\YgbPkT TaT_J Ha”Wt-65U,%{w Qĸ=V!>ө ?.}ZmRδCZI LWPJ@>}@`us&Yg#?έ1g?\.@d[HZ)SJSD
;2VcZMt>T?i,Ev)ڨ~b9pv>nB?%RTMHJWI мJ?d9wW/ ,B$eXڻ?WA~mXf6ʊl ^܀IQn+5"4Lڕޒ(Sa?\Z :YM!!!!!!!oe)*"})>ˉбluc?a +1;(sP&g\*J%ҕBҮ#Jo?:ە]>c.?(e|wR?jok~7? Ld?W?>x??-%w_ 6 GK]~GO_WYPȷ?ܶV(sKM
{xO&}?\4z*_ߙϥ/]ML_jG%;oVn] u|,>ѿLzt|ww:Nk?$ik]%A[usO;\~:wjj߼;hᯞw RiuPPPPPPPPPPPG-S65OS +L+Ot ѫ5ik޾ixT!վ.WMm%WHTTP/1.1 304 Not Modified Server: Microsoft-IIS/4.0 Date: Thu, 14 Aug 2003 22:55:01 GMT Cache-Control: max-age=1800 Expires: Thu, 14 Aug 2003 23:25:01 GMT ETag: "483c497fe051c31:6c72" Content-Length: 0

So, at least part of the Niagara-Mohawk server network relies on Windows.

Blaster has been busy crashing Windows machines at a record pace over the last two days, and the Niagara-Mohawk grid went down today. Coincidence?

Probably. But if not, you heard it here first. :)

Update: A quick lesson in ports. Ports are how programs connect to computers. Blaster tries to connect via port 4444.

When I try to connect to that port on one of my machines, this is what happens

$ telnet web8.isis.unc.edu 4444
Trying 152.2.1.212...
telnet: Unable to connect to remote host: Connection refused

The attempt is refused, immediately.

So, let's lookup niagaramohawk.com and try the same thing

$ nslookup niagaramohawk.com
Server: ns3.oit.unc.edu
Address: 152.2.21.1

Non-authoritative answer:
Name: niagaramohawk.com
Address: 148.183.56.34

$ telnet 148.183.56.34
Trying 148.183.56.34...
telnet: Unable to connect to remote host: Connection refused

So far so good. Now let's try the port Blaster would try to connect to.

$ telnet 148.183.56.34 4444
Trying 148.183.56.34...
telnet: Unable to connect to remote host: Connection timed out

That is not the same thing at all. It the port was blocked, the message should have been the same. I'm not positive it is open, but neither is the port definitively closed, as others on the system demonstrably are.

Remember, the virus would not necessarily have to infect the computers actually running the grid to affect them. Simply clogging the internal network with port scans might well be enough to crash the system.

And here's a bit more evidence that Windows computers are part of something more than just the desktop environment at Niagara-Mohawk.

Work Experience

Systems Analyst, Niagara Mohawk Power Corporation, Syracuse, NY.
Design a SQL Server Based Decision Support System from the central Niagara Mohawk data warehouse.

Test and document the data warehouse operations as well as supporting applications. Perform data analysis and data mining to support business decisions.

Automation of relational database systems. Create front end programs using Visual Basic, SQL Server and other software

Install and upgrade new hardware and software, Troubleshoot network and client-server related probles directly with the end-users or using remote login software.

Manage NT Server for the department. Includes managing logins, security, backups and maintenance.

If an unpatched Windows server was the proximate cause of a multi state power outage....I'd hate to own Microsoft stock right about now.

More Update: Well still no word on the O/S N-M's grid servers are running, but there has been intense speculation about the vulnerability of the grid to hackers and viruses in the past, using language that strongly suggests Microsoft is being used in critical systems.

The energy industry continues to be the target of Internet-based probes and hacker attacks that seek to exploit known vulnerabilities in off-the-shelf software and systems that are increasingly being used to control and manage the power grid, according to the CIAO report.

Likewise, the sector continues to fall victim to poor personnel security practices, ports and services that are open to the Internet, outdated software without current security patches and improperly configured systems.

"With the system itself teetering on the brink of collapse, it becomes easier for a smaller incident to have a wider impact," said David Thompson, a security analyst at New York-based PricewaterhouseCoopers. "For instance, if someone were to find a way to force the shutdown of a single power plant or a section of the power grid, the results would be much more devastating, since there is not enough reserve capacity to take up the slack."

Final Update: Cert says they have no proof blaster caused the outage.

Posted by Bigwig at August 14, 2003 07:08 PM | TrackBack
Postscript:
First time visitor to House Hraka? Wondering if everything we produce could possibly be as brilliant/stupid/evil/pedantic/insipid/inspired as the post you just read? Check out the Hraka Essentials, the (mostly) reader-selected guide to Hraka's best posts, and decide for yourself.
Comments

No surprise at all that their web server, which might well just be a colocated contract job, runs IIS.

I'd be AMAZED if anything that ran The Grid directly was both running Windows and exposed to the open network. I expect most of the systems that actually run The Grid are legacy systems on mainframes and/or other custom jobs.

Anyone know better?

Posted by: Sigivald at August 14, 2003 07:26 PM

Still looking......

Posted by: bigwig at August 14, 2003 07:40 PM

I sort of entertained the same thought briefly, as I've been watching this virus all week in my firewall logs. But I'm seeing something different than you are. For me, MSBlast has been attempting to hit the same ports constantly, but it's hitting ports 135 and 445 (RPC) which I've closed. I haven't seen port 4444 jumped on. Guess maybe I should close that one too?

Posted by: MarcL at August 14, 2003 09:00 PM

Don't underly underestimate Niagara Mohawk's ability to screw up.

Granted a near monopoly on upstate New York power production, they threatened to drive themselves into bankruptcy if the Public Service Commission didn't grant immediate and stark rate hikes.

Given the opportunity to partially privatize - which when done properly increases profits and decreases cost to the customer - they threatened to declare bankruptcy.

When faced with three nuke plants that suddenly appeared to be getting profitable, around the time they were threatening bankruptcy... they sold them off to the State of New York, taking a massive loss.

Either they were trying to avoid income tax the Arianna Huffington way, or they are running a publicly held corporation as if it were a bloated, uncompetetive government monopoly. So if you think they may have had something to do with the grid going Tango Uniform...

Well, I wouldn't draw any conclusions here. Fox might sue me if I did.

Posted by: Blackavar at August 15, 2003 12:22 AM

As one still learning how to write success HTML code, the images that form in my head in an attempt to comprehend that which Bigwig hath said is simply too mind blowing to grasp... however, with whatever undamaged brain cells that I do retain, me thinks there are a great many more peeps who think like me than not, and what we have begun to experience, and therefore be reminded of, is our vulnerability.

Not even an hour had passed since the power failed that the local stupid market by me was a scene of mayhem and madness. There was not one ice cube to be had; no batteries; no candles, and forget about bottled water!

"Was it terrorists?" I heard people asking of each other, "Do they know what caused it yet?"

Anyway... I have begun to ramble... thank you, once again Bigwig, for offering me a much bigger view of this life than I am accustomed to. lorelei

Posted by: Lorelei at August 15, 2003 02:45 AM

Don't know about the proximate cause, but I cannot help noticing it's effect was almost exactly the same as the '68 blackout. One staton crashes, others shunt to supply its customers, overloads occur so other parts crash, more rerouting, more overloads... This was supposed to have been fixed, if necessary by not supplying the affected area(s).

Posted by: John Anderson at August 15, 2003 09:35 AM

Here's something from www.netcraft.com (sorry about formatting)

OS, Web Server and Hosting History for www.niagaramohawk.com

OS Server Last changed IP address Netblock Owner
unknown Microsoft-IIS/4.0 3-Nov-2002 148.183.56.26 Niagara Mohawk Power Corp
NT4/Windows 98 Microsoft-IIS/4.0 2-Nov-2002 148.183.56.26 Niagara Mohawk Power Corp
unknown Microsoft-IIS/4.0 30-Oct-2002 148.183.56.26 Niagara Mohawk Power Corp
NT4/Windows 98 Microsoft-IIS/4.0 5-Aug-2002 148.183.56.26 Niagara Mohawk Power Corp
unknown Microsoft-IIS/4.0 25-Apr-2002 148.183.56.26 Niagara Mohawk Power Corp
NT4/Windows 98 Microsoft-IIS/4.0 24-Apr-2002 148.183.56.26 Niagara Mohawk Power Corp
unknown Microsoft-IIS/4.0 20-Apr-2002 148.183.56.26 Niagara Mohawk Power Corp
NT4/Windows 98 Microsoft-IIS/4.0 27-Aug-2001 148.183.56.26 Niagara Mohawk Power Corp
unknown Microsoft-IIS/4.0 16-May-2001 148.183.56.26 Niagara Mohawk Power Corp
unknown unknown 15-May-2001 148.183.56.26 Niagara Mohawk Power Corp

Posted by: Larry Lurex at August 15, 2003 10:22 AM

A technical quibble:

A "connection refused" message happens when a firewall is programmed to, well, refuse all illegal connections. The incoming machine tries to open the port, and the firewall says "nuh-uh."

A "connection timed out" message happens when a) there's simply nothing on the other end to connect to or b) the firewall has been configured to silently drop any packets sent to illegal ports. The incoming machine tries to open the port and gets no response at all. It'll keep trying until it just gives up.

Of the two behaviors, the latter is actually preferred in security circles because it slows down sequential port scanners. Instead of "are you open" "NO" "are you open" "NO" in rapid fire sequence, the scanner gets "are you open? Hey, you open? Hello? Anyone there?"

Apologies if you knew all this already. Just trying to help out :)

Posted by: Scott at August 15, 2003 12:41 PM

Hi Scott,

No, thanks. I probably should have pointed that out more explicitly in the original post, rather than relying on the I'm not positive it is open, but neither is the port definitively closed, as others on the system demonstrably are. phraseology. At the time, getting the post up seemd more important than explaining all the permutations of port connections.

Posted by: Bigwig at August 15, 2003 01:30 PM
Post a comment Note: Comments with more than two dashes per line will be blocked as spam.









Remember personal info?